Researchers say they have found the biggest Android security flaws known to date. The vulnerabilities, nestled inside Android’s media playback library Stagefright, are said to affect 950 million Android devices, which amounts to 95% of them.

Mobile security researcher Joshua J. Drake, vice president of platform research and exploitation at Zimperium zLabs, discovered the vulnerabilities in April, but believed there are plenty of manufacturers who still haven’t addressed them, Forbes reported.

(Related: Google offers bug bounty program of Android)

According to the Zimperium team, Drake’s research “found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.”

The vulnerability affects devices running Android version 2.2 and later. According to the researchers, versions prior to Jelly Bean are at the biggest risk because of insufficient exploit mitigations.

“We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action,” the Zimperium team wrote.